Demand for certification to prevent built-in malware

ISO certification would prevent manufactured equipment from being shipped with malware embedded in them according to ESET.

Following yet more high profile incidences of malware being introduced onto devices at the manufacturing stage, ESET believes the time has come for an ISO type certificate to be introduced, which reflects that safe, digital procedures have been adhered to during the manufacturing process.

Over the last twelve months Tom Tom, Maxtor, Mocmex and more recently HP to name but a few, have all released goods that gave the user far more than they paid for with the extra free gift of malware. In addition, INF/Autorun a generic identification for malware typically found on usb memory keys, which tries to use the file autorun.inf as a way of compromising a PC, has been the number one global threat to computer users for the last four consecutive months.

"There are several different ways that this growing threat could be countered that is not reliant on users having up-to-date security," comments Andrew Lee, Chief Research Officer at ESET. "One of main triggers is Microsoft's autorun feature, or as we like to call it, auto-infect. If Microsoft would only make the intelligent security decision to disable this feature, a lot of machines wouldn't end up compromised."

But as Andrew Lee points out, Microsoft is not the only guilty party. "Other vendors, such as Apple should also not offer to enable autorun when their products are installed, without at least warning the consumer of the disastrous security hole it opens. Unless some sort of intervention happens soon, the problem will only get worse."

ESET also highlights that VARs, when creating their own custom media and branded devices, frequently introduce malware. Either by scanning the master with just one anti-virus product, instead of introducing defence in depth and using multiple scanners or by performing random quality checks to the finished product on an infected machine.

"In reality, virus scanning should simply be a sanity check," continues Andrew Lee. "Proper building of media means that you know exactly what is on the finished product, which then implies that if your media is infected it was deliberate or you didn't know what you were shipping. Introducing some sort of certification would at least give users assurance that a reasonable level of precaution had been taken."